bec59a6b223ec9c4946545d0fbb8c971f9b55c0cedc304026f7eafeb0e115ebb

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 19:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe
Size

199KB
MD5

2d8cbfc2fe974459978c113c56e85699
SHA1

9b13a5867df81e9637cfacda09d034eaf520b333
SHA256

bec59a6b223ec9c4946545d0fbb8c971f9b55c0cedc304026f7eafeb0e115ebb
SHA512

723ce15e3b01754d785b989ba58690f751cdc8c770eb8ef56a75cb411e5a5c2f01caa46c3a0612f9bf01423490cf04beb07ab37b905cd8251c00d99ef8c2209e
SSDEEP

3072:vW+DiW9iLo+GnHjKBpjuRGvFBS+pV9Kn7VfET1v6ALEUroo60JYnV:+KELo7GjucTSekWiqp2nV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2572	server2.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe
2064	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2572	server2.exe
2572	server2.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2572	2064	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2572	2064	2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe	30
PID 2572 wrote to memory of 1240	2572	server2.exe	21
PID 2572 wrote to memory of 1240	2572	server2.exe	21
PID 2572 wrote to memory of 1240	2572	server2.exe	21
PID 2572 wrote to memory of 1240	2572	server2.exe	21
PID 2572 wrote to memory of 1240	2572	server2.exe	21
PID 2572 wrote to memory of 1240	2572	server2.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d8cbfc2fe974459978c113c56e85699_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server2.exe

Filesize
156KB

MD5
1efd365e7a60c9523270accbbb76d991

SHA1
8d44be95e87a9143f2fde73a548d043d13e013ba

SHA256
9528ede2a9746a3b85eab9b4ae43d58df98c624718103865e1892cd94fb22d46

SHA512
364446f12db81d71d505ae177db9b1638255659ab81bce50b87d782bdd4185087a66d90e3e340a22c4c77bd5de99d1f0da1b91db8a985cd546c28a7d4f34a8a8

Download Submit
memory/1240-15-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1240-21-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/2572-11-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2572-10-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2572-13-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2572-14-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2572-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download